File Ownership and Privileges

After completing the script, and before proceeding to the configuration steps below, you may need to adjust the ownership and access privileges for the files and directories installed. The script sets the group ownership to group 100, which may not be appropriate for your system. Consult your operating system documentation for the chgrp, chmod, and chown commands for details.

A good starting point would be to create a user group (e.g. "ashell" or perhaps the name of your application) and add all applicable users to that group. Then assign the entire A-Shell directory system to that group. Assuming you installed in /vm/miame, you could do this under most UNIX flavors as follows:

# cd /vm/miame

# chgrp –R ashell *

 

The above commands would assign every file in the entire directory tree starting from /vm/miame to the ashell group. You could then provide unlimited access to all files for all members of that group, as well as the actual file owner, very simply with the following commands:

# cd /vm/miame

# chmod –R ug+rwx *

 

This sets the read, write, and execute flags for both the owner and group for all files in all subdirectories starting from the /vm/miame.

If you are concerned about unauthorized users having the ability to overwrite important parts of the A-Shell installation, then you should set up a special user (or root) to be the owner of all the files distributed as part of A-Shell, and then allow only that user to have write privileges for those files. As an example, you might protect the files in the /vm/miame/bin and /vm/miame/dsk0/001004 directories as follows:

(while logged in as root)

# cd /vm/miame

# chown –R root *

# chmod 750 bin/*

# chmod 640 dsk0/001004/*

 

For all the files in the /vm/miame/bin directory (where the ashell executables normally are,) the above commands would allow read/write/execute access to the root user, read/execute to users in the ashell group, and no access to other users. The idea is similar for the /vm/miame/dsk0/001004 (aka SYS: or DSK0:[1,4]) directory, except that those files don’t need the execute bit, since they are never really executed by UNIX. Instead, they are handled like data by the A-Shell interpreter.

Use the UNIX ls –l command to verify the correct settings, which might look something like this:

# cd /vm/miame/bin

# ls –l

-rwxr-x---   1 root     ashell    827127 Jan 31 17:06 ashell

#

# cd /vm/miame/dsk0

# ls –l

drwxr-s---   2 root     ashell       512 Jan 31 17:27 001002

drwxr-s---   2 root     ashell      2048 Feb  2 11:47 001004

drwxr-s---   2 root     ashell       512 Aug 12 02:41 001006

drwxr-s---   2 root     ashell       512 Jan 31 17:17 002002

drwxr-s---   2 root     ashell       512 Jan 21 15:29 007000

drwxr-s---   2 root     ashell      2560 Jan 31 17:19 007006

#

# cd 001004

# ls –l

-rw-r-----   1 root     ashell      2474 Jan 31 17:03 time.lit

-rw-r-----   1 root     ashell      3024 Jan 31 17:03 type.lit

-rw-r-----   1 root     ashell      2396 Jan 31 17:03 ver.lit

<etc>

#

 

If you have files in a lot of directories (corresponding to many PPNs) you can use the –R (recursive) switch to chmod as follows to act on all of the subdirectories at once:

# cd /vm/miame/dsk0

# chmod –R 640 *

# chmod 750 *

 

The first chmod command above would set read/write privileges for the owner and read privileges for users in the ashell group for all files in all subdirectories of /vm/miame/dsk0. (The –R switch causes the command to descend the directory tree recursively.) The second chmod command then adds the execute flag to all of the files in the /vm/miame/dsk0 directory, since these files are actually directories, and directories must have the execute flag set.

Warning: Under most UNIX implementations, the execute flag must be set in all directories in order for users to be able to access those directories. Thus while the execute flag is not needed for most A-Shell files, such as *.RUN, *.LIT, and *.DAT, it is essential for the directories themselves.

 

Another warning: Shared data files in your application must offer read and write access to all users, so it would probably be unwise to limit write privileges to the file owner for such files. Putting your *.RUN files (which don’t need to be written to by all users) in a separate PPN (e.g. [p,0]) from your data files would make it easier to fine tune the access privileges at the directory level rather than the file level.

If you don’t care at all about security, and it doesn’t bother you if certain files have their executable flag set even though they are not really executables, then you can just set all the read/write/execute flags for all of the files as follows:

# cd /vm/miame

# chmod –R 777 *

 

In this case, the owner and group attributes don’t matter, since everyone is allowed all types of access.

Most versions of the chmod command support a syntax for adding or removing privileges, without having to replace the current privileges with a single specified value set. For example, chmod –R a+rw * would add the rw privilege bits (for all three levels – user, group, other) to all files in the current directory tree, without removing the x privilege bit from any files or directories that already have it set. Replacing the "a" with some combination of "u" (user/owner), "g" (group), and "o" (other) would limit the effect to the specified categories. Also, replacing the "+" with a "-" would remove rather than add the privilege bits.